Who Defines Merchant and Service Provider Levels?

The security of payment card transactions is an important concern for businesses. Organizations handle card data differently, necessitating a tiered approach to security. This system aligns security measures with transaction volume and nature, safeguarding sensitive information.

The Primary Authority for Defining Levels

The major payment card brands, including Visa, Mastercard, American Express, Discover, and JCB, are the primary entities responsible for defining merchant and service provider levels. These definitions are based on the annual volume of payment card transactions an entity processes. Each card brand operates its own compliance program, establishing specific thresholds for these levels.

While the Payment Card Industry Security Standards Council (PCI SSC) develops the Payment Card Industry Data Security Standard (PCI DSS), individual payment brands interpret and enforce these standards. The payment brands determine the specific levels and their corresponding requirements within their own compliance mandates, ensuring their particular risk assessments and program needs are met.

Merchant Level Criteria

Payment card brands categorize merchants into four distinct levels based on their annual transaction volume. Level 1 merchants process over 6 million transactions annually across all channels. These large-volume merchants face the most stringent compliance validation, often requiring an annual on-site assessment by a Qualified Security Assessor (QSA) and quarterly network scans by an Approved Scanning Vendor (ASV).

Level 2 merchants handle between 1 million and 6 million transactions per year. Their validation usually involves an annual Self-Assessment Questionnaire (SAQ) and quarterly ASV scans, though some may opt for an on-site assessment.

Merchants processing between 20,000 and 1 million transactions annually are classified as Level 3, particularly for e-commerce transactions. They commonly complete an annual SAQ and undergo quarterly ASV scans.

The smallest merchants, those processing fewer than 20,000 e-commerce transactions or under 1 million total transactions annually, are Level 4. Compliance for Level 4 merchants generally involves an annual SAQ and quarterly ASV scans, with requirements potentially varying by acquiring bank. A merchant’s level can also be elevated regardless of transaction volume if they experience a data breach or are identified as posing an increased security risk.

Service Provider Level Criteria

Service providers are entities involved in the storage, processing, or transmission of cardholder data on behalf of other organizations. These include entities like payment gateways, web hosting companies, and data centers. Service providers are categorized into two levels: Level 1 and Level 2.

Level 1 service providers process more than 300,000 transactions annually or store cardholder data for third parties. They are required to undergo an annual on-site assessment by a QSA and quarterly ASV scans. Level 2 service providers process fewer than 300,000 transactions annually. Their compliance validation involves an annual Self-Assessment Questionnaire (SAQ D) and quarterly ASV scans.

The Role of Acquirers and Processors

While payment brands define the compliance levels, acquiring banks (acquirers) and payment processors play a direct role in implementing and enforcing these standards. Acquirers are the primary point of contact for merchants, communicating the applicable PCI DSS level requirements. They are responsible for determining the specific validation and reporting methods their merchant customers must follow, such as requiring an SAQ or a full Report on Compliance.

Acquirers and processors monitor compliance, often providing resources or access to Qualified Security Assessors to facilitate the compliance process. They also have the authority to impose fines and penalties on merchants for non-compliance. These penalties, which can range from $5,000 to $100,000 per month, are often passed down from the card brands to the acquirer and then to the non-compliant merchant, underscoring the financial consequences of failing to adhere to defined security levels.